Skillv1.0.1

ClawScan security

Anti Regression · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 15, 2026, 6:17 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose matches its content, but the runtime instructions actively encourage autonomous use of credentials and taking privileged actions without declaring or constraining that access — this is coherent with its goal but raises operational and safety concerns.
Guidance: This skill is coherent with its goal of making agents act, but it encourages using credentials and taking direct operational actions without explicit guardrails. Before installing: 1) Review and restrict what browser/tool credentials the agent actually has access to (prefer least privilege). 2) Add explicit guardrails to your agent identity (SOUL.md/AGENTS.md) — require human approval for high-impact actions (deploys, deletions, external messaging). 3) Ensure audit logging and alerts for actions the agent takes (so you can detect unwanted changes). 4) Test the patterns in a sandboxed/staging environment first. 5) If you cannot tightly control the agent's runtime permissions or cannot add approval checks, avoid deploying this to agents with access to production systems or sensitive credentials.

Review Dimensions

Purpose & Capability: noteThe name/description ('anti-regression' to keep agents autonomous) aligns with the SKILL.md instructions: override cautious behavior and act. However, the instructions assume the agent has browser/tools and credentials available (and should 'open the browser and log in'), even though the skill declares no required credentials or environment. That's an implicit capability assumption that should be called out.
Instruction Scope: concernThe SKILL.md explicitly directs the agent to take privileged operational actions: log into services using available credentials, start highest-priority tasks, 'fix' broken systems (check logs, restart services), perform searches/browsing immediately, and generally prefer action over asking. Those instructions expand the agent's runtime behavior beyond benign guidance and lack concrete guardrails (e.g., limits on destructive operations, approval thresholds, audit/logging). This grants broad discretion that could lead to unintended privileged actions.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files to run — nothing is written to disk by the skill package itself, which lowers supply-chain risk.
Credentials: concernThe package declares no required env vars or credentials, but the instructions repeatedly tell the agent to 'use credentials' and 'log in' when available. That mismatch means the skill will prompt use of any credentials the agent already has access to (browser sessions, stored API keys, etc.). Requiring/assuming access to unspecified credentials increases the risk of privilege escalation or data exposure when combined with agent tooling.
Persistence & Privilege: noteThe skill does not request always:true, no install hooks, and does not modify other skills. However, it is designed to be used autonomously and to change agent behavior each session (ask less, act more). Autonomous invocation combined with the instruction set increases blast radius even though no special platform privileges are requested.